CVE-2020-36242 (High) detected in cryptography-2.9.2-cp27-cp27mu-manylinux2010_x86_64.whl, cryptography-2.6.1-cp27-cp27mu-manylinux1_x86_64.whl

[mend-for-github-com]

CVE-2020-36242 - High Severity Vulnerability

Vulnerable Libraries - cryptography-2.9.2-cp27-cp27mu-manylinux2010_x86_64.whl, cryptography-2.6.1-cp27-cp27mu-manylinux1_x86_64.whl

cryptography-2.9.2-cp27-cp27mu-manylinux2010_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/45/f9/ee6878ab822eef403a4282c8ce80d56e3121c9576a6544377df809363b50/cryptography-2.9.2-cp27-cp27mu-manylinux2010_x86_64.whl

Path to dependency file: cloud-pipeline/pipe-cli

Path to vulnerable library: cloud-pipeline/pipe-cli,cloud-pipeline/pipe-cli/requirements.txt,cloud-pipeline/pipe-cli/requirements.txt,cloud-pipeline/pipe-cli

Dependency Hierarchy:

• pyOpenSSL-19.0.0-py2.py3-none-any.whl (Root Library)
  • ❌ cryptography-2.9.2-cp27-cp27mu-manylinux2010_x86_64.whl (Vulnerable Library)

cryptography-2.6.1-cp27-cp27mu-manylinux1_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/c3/c1/cf8665c955c9393e9ff0872ba6cd3dc6f46ef915e94afcf6e0410508ca69/cryptography-2.6.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: cloud-pipeline/scripts/git-role-management/requirements.txt

Path to vulnerable library: cloud-pipeline/scripts/git-role-management/requirements.txt

Dependency Hierarchy:

• ❌ cryptography-2.6.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1db3170e0bd699acd5fec6e3fcebfa68fe86edcf

Found in base branch: develop

Vulnerability Details

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

Publish Date: 2021-02-07

URL: CVE-2020-36242

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst

Release Date: 2021-02-07

Fix Resolution: cryptography - 3.3.2